UNC General Administration has worked out a license template that is approved for use across the UNC System Institutions for purchase of JAMF Software’s Casper Suite management tools for Apple Devices. Details on the UNC System Agreement – JAMF Software Casper Suite are available from each institution’s Combined Pricing Initiative (CPI) representative or UNC GA.
The UNC Wide Casper Suite Service is a deployment of the UNC System Agreement – JAMF Software’s Casper Suite license that uses a shared JSS server hosted by JAMF Software at nc.jamfcloud.com to provide secure, federated, enterprise managment of Apple devices across participating UNC System Institutions. The service makes use of a network of JAMF Distribution Servers(JDS) which are automatically and securely synced across the various participating servers. NC State maintains 4 JDS servers, in 2 independent, hardened machine rooms one of which is currently the Master JDS for the service.
What is required to use the UNC Wide Capser Suite Service?
What is the requirement for access to a campus directory (AD or LDAP)?
Are there firewall requirments to use the UNC Wide Casper Suite Service?
Does the UNC Wide Casper Service have Apple GSX access for automated lookup of Apple Devices?
Can JAMF Software’s SCCM Plug-In be used with the UNC Wide Casper Service?
Are NetBoot or Software Update Servers Provided with the UNC Wide Casper Service?
Resources and Contacts
What is required to use the UNC Wide Capser Suite Service?
0) An authorized agent of the institution must sign and comply with the UNC Wide Casper Memorandum of Understanding for security and compliance purposes.
Request access to the MOU at https://go.ncsu.edu/caspermou
1) Insititutional groups must purchase at least 10 licenses for either OS X or iOS devices (or 10 OSX and 10 iOS if both are required) to have their own Casper Site.
UNC Institutions should contact their CPI representative for costing and purchasing details
NC State groups should see: software.ncsu.edu/vendor/jamf-software-casper or email firstname.lastname@example.org to purchase
2) Each Insititutional group will have their own Casper Site for secure federated management. Note that all packages are shared and evey group is responsible for license compliance with each vendor for the packages used at that group’s institution. NOTE: When transitioning to the UNC Wide Casper Suit Service from an existing Casper deployment all OS X and iOS devices must be re-enrolled due to change in both the management URL and the institutional push certificates.
Each Site owner must provide secure (ldaps) access to a supported directory (AD or ldaps) containing a group of people that are the administrators of their Casper Site.
NOTE: If the secure ldap connection requires a non-standard certificate (i.e. directory uses self-signed or self-assured certificates) special arrangements will have to be made with JAMF support to get the correct certificate chains added to the hosting server.
Only READ ONLY access to the User Name (typically uid or sAMAccountName), User ID (uidNumber) and Group Membership (memberOF) attributes of the User record and the Group name (cn) and Group Id (gid or uSNCreated, this is a number) attributes of the Groups record is required unless the directory uses a different configuration (most commonly this would be acess to the Member attribute of the Group record instead of User>MemberOf). Casper is designed for machine management, however features like User Self-Service are also availabe but requires access to a broader institutional user information than a simple group of machine administrators. NOTE: Accounts can not be created on the central JSS for institutional individuals or groups.
It is strongly suggested that institutional directory access be granted via a special, read only, service-user account with permissions engineered and used for this purpose only.
4) Each site owner must ensure that institutional firewall access is granted on the required ports for directory ldaps access (typically 636 or custom ports) and client access over the standard HTTPS port (443) to the hosted JSS. Information on configuration is available from the UNC Wide Casper Administration (UWCA) Team.
5) Optionally: Those wanting to package software should provide an additional directory group containing the people who can package software. Software packagers for each site will have read, create, and change permissions but not delete for the following features in the JSS: Categories, Packages, Scripts, Printers, Directory Bindings, Dock Items, Configurations, NetBoot Servers, Extension Attributes, Peripheral Types, Removable MAC Addresses, Buildings, Departments, Network Segments.
NOTE: Each unit is required to name packages with INSTITUTION-unit prefix. So packages made by OIT at NC State would be named:
This avoids issues with other UNC system schools in the hosted environment.
It is also important for those repackaging licensed software to create packages that can apply licenses via policy after installation.
The UNC Wide Casper Administration team will delete packages and other created features upon verified request of the Site Owner and reservers the right to delete any package of feature that is causing system failure without prior notification. In general packagers from individual institutions should create packages and features that clearly identify the institution which created them and work to avoid conflicts.
6) Each site is strongly encouraged to train at least one person for either the Casper Certified Administrator (CCA) or Certified JSS Administrator (CJA). See JAMF Software Training at: www.jamfsoftware.com/training
7) Optionally: One CCA or CJA trained, person from each UNC Institution can join the UNC Wide Casper Administration(UWCA) Team to help with conflict resolution and routine maintance tasks. A representative from NC State and Applicaian State form the initial UWCA Team.
8) Optionally: If a Site would like to host a JAMF Distribution Server (JDS) they should work with their Casper Administration Team member or the UNC Wide Casper Administration Team to setup.
9) Optionally: Sites desiring other types of Casper Access (API, Reporting Only, Add Machine Only, etc) should work with their Casper Administration Team member or the UNC Wide Casper Administration Team to setup.
10) Any conflct resolution or requests will be handled by majority agreement of the UNC Wide Casper Administration Team.
11) The UWCA team will provide UNC GA with a report of total seat usage across the UNC System on September 15 annually to help inform institutions in meeting the required 8000 seat goal.
12) Organizations that have existing Casper Licneses or wish to purchase Jump Start, CCA or CJA training should contact email@example.com for information on license conversion, license prorating, and training costs.
Yes the UWCA Team has created a unique Apple ID for GSX access which provides information on purchased devices as expected in the JSS. Since lookups are based on hardware only this is useful for all system instititutions.
The current implementation of JAMF Software’s SCCM Plug-In allows only 1 instance to be attached to a single JSS making direct use of SCCM Plug-Ins from multiple institutions not possible. The UWCA believes there might be a work-around using a shadow, reporting only, JSS streamed via the JSS-toJSS Plug-In but this would need to tested and impemented in the future and is not available at this time. If interested please work with the institutional Casper Administration Team member or the UWCA.
It is up to each institution to provide their own NetBoot Servers and/or Software Update Servers (SUS). These types of servers, like JDS servers, provide much faster service the closer they are to the client machines they serve in terms of network topology. For details on creating and administrating these type servers for you institution please see:
Production service: https://nc.jamfcloud.com:443/
Test service : https://nccloudtest.jamfcloud.com:443/
UNC Wide Administrators: firstname.lastname@example.org